Using Web Security Scanner

Review Web Security Scanner managed scan findings in the Security Command Center dashboard, and see examples of Web Security Scanner findings. Web Security Scanner is a built-in service for the Security Command Center Premium tier. To view Web Security Scanner findings, it must be enabled in Security Command Center sources & services settings.

For more information, learn more about how Web Security Scanner works.

Reviewing findings

When Web Security Scanner generates findings, you can view them in Security Command Center. Web Security Scanner scans start approximately one hour after the service is enabled. Web Security Scanner scans can take up to 12 hours to complete the first time it runs.

Reviewing findings in Security Command Center

To review Web Security Scanner findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Web Security Scanner.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • What the event was
    • When the event occurred
    • The source of the finding data
    • The detection severity, for example High
    • The affected URL
  5. To display all findings that are associated with a given URL:
    1. On the finding detail panel, copy the email address next to externalUri.
    2. Close the finding detail panel.
    3. In the Findings tab Filter box, enter externalUri:affected-uri, where affected-uri is the email address you copied previously.

Security Command Center displays all of the findings that are associated the URL that you provided.

Example findings

Example Web Security Scanner managed scan findings include the following:

Table A. Web Security Scanner managed scan finding types
Vulnerability Description
Mixed-content A page that was served over HTTPS also serves resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or monitor users' actions.
Clear text password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Outdated Library

The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

Web Security Scanner identifies some vulnerable versions of the following popular libraries:

This list is updated periodically with new libraries and updated vulnerabilities as applicable.